Setup suggestions for LAN, NVR and maybe seperate NAS/Android TV devices?

bfred · Sep 8, 2021

Hello!

I initially thought what I wanted was 'standard' and looking at the 3 last pages of this section... it seems 'not really'. So Let's start with the basics:

I have a PfSense box, a few Wifi Routers, 1 PoE switch (2+4) ports, some Unify APs, a Dahua NVR 8 channel 4 PoE, 3 (shitty) wifi cameras, a Home Assistant installation with some IoT, 2 android TV devices, a NAS (soon 2)
The PfSense box can make 3 VLANs, I have other DD-WRT flashed routers eventually?

I'm not a very 'camera-man' person (if such a thing exists) and therefore started with 1, 2... as my wife insisted. Turns out it can be useful sometimes. So I was thinking I probably need up to 8 cameras at home (I am surely wrong, please note).

I don't like cloud things, I don't want to share anything I do at home neither. The only reason my IoT devices would need to connect to the internet would be to update their firmware.

The NVR is the latest addition and I was thinking to do things "the right way".
How would you setup things between my "main lan" where I work and access the internet, the NAS (backups, file sharing, some automated scripts connecting to the internet and doing stuff, movies), the cameras and the NVR (not sure if all on the same separate VLAN, or just the cameras), the Android boxes streaming movies from the NAS and the Home Assistant setup which controls on/off for lighting, some sensors and some servers analytics?

I hope it is not too much, and I definitely am not asking for a complete tutorial. Just some basic guidelines about what to put where and the implications. I do plan on setting up a VPN to remotely access the NVR later I think...

Thank you very much for reading and the pointers you could provide.

The Automation Guy · Sep 8, 2021

I would recommend using these VLANs.

Main network - anything that you trust to have full access to the network and internet. Can access internet and other VLANs.
Guest network. Has internet access, but no other VLAN access. Might even consider isolating devices on the guest network, but that breaks "sharing" things between mobile devices. If that is something your guests do regularly, then you don't want to isolate them.
Network Printers. No internet access, no other VLAN access. (Devices on main VLAN will be able to see the printers and use them normally). If you need to allow guests access to the printers, you can always allow that as well.
CCTV cameras, NVR. No internet access, no access to other VLANs
IOT stuff that needs internet access. Things like your smart TVs, streaming devices, etc. Obviously has internet access, but no other VLAN access.
IOT stuff that doesn't need internet access. Thinks like "smart" plugs, appliances, lights and switches, etc. No internet or other VLAN access.
Gaming consoles (XBox, Playstation, etc) . Has internet access, but no other VLAN access. This is because online gaming usually requires a less stringent set of rules than I want to normally run in order to connect to the online servers properly. By having their own VLAN, I can allow less stringent rules for the consoles, but protect the rest of the network.
Other groups of devices - (like a digital phone system, etc). I run an VOIP digital phone system at my house, so all the phones are on their own VLAN. No internet access for the individual phones (only the service interface needs internet), no other VLAN access.

That might seem like overkill, but it is actually about the minimum I would consider. If you start with this architecture from the start, it isn't bad. If you have to go back and add these VLANs after setting up another scheme, it can be more painful to change. The idea is to isolate groups of devices on the network as much as possible. It might seem silly to have a VLAN for just network printers, but I don't want those printers on my main VLAN, and I see no reason to have them on a IOT VLAN where other devices could have access to them. So by having them on their own VLAN, I know they are isolated as much as possible and I can always allow the guest network to access them if needed as well without compromising the rest of the network isolation.

If you have a managed switch (at least one that can do VLANs - it doesn't have to be a fully manageable switch) your pfSense box can set up more than 3 VLANs. I suspect you are saying only three VLANs because you box as four network plugs. I run a pfSense box with just two network plugs (one WAN and one LAN). The LAN plug goes directly to my network managed switch (Aruba S2500-48p) and I can set up as many VLANs in the switch as I need.

I should note that VLANs are different from wireless networks. There may be some overlap, (Guest network for example), but you don't need a wireless network set up for every VLAN. For example, on my Ubiquity APs, I have these wireless networks set up: Main, Guest, IOT Internet, IOT No Internet, Gaming Consoles (in case friends bring their consoles over). If I had wireless printers, I would also have Printers network, etc. This actually helps "automate" some of the setup. For example, if I get a new "smart plug" and I make it connect to the "IOT No Internet" wireless network, I know that device has to be part of the "IOT No Internet" VLAN with all the applicable rules already in place (ie no internet, no other VLAN access). I don't have to manually block individual devices from the internet, etc. I let the VLANs handle that for me. This is why I have a "IOT Internet" and a "IOT No Internet" VLAN and wireless network set up rather than having just one IOT VLAN with a mix of devices I want to have internet access and not have internet access.

Holbs · Sep 8, 2021

Better get a Google Sheets or Excel spreadsheet started

what I use columns for:
assigned static IP or DHCP reserved IP addresses / MAC adddress / serial number / current firmware version / what VLAN it is on
color codes to make things easy for organization
I try to stick with everything Home Assistant-wise to Z-wave. Less network traffic, less IP hackables.
I'm in the midst of re-organizing my entire network to something Auto mentions above as my system was clunked together way too quickly during emergency home security events.
CAMERA NETWORK = all IP cameras & my Blue Iris server (read somewhere not good idea to cross VLANs when it comes to cameras and NVR/Blue Iris server). Totally locked down other than UI3 allowed to other subnets, local NTP server, VTO doorbell allowed to do push notifications, and Blue iris server allowed to browse (gotta update BI at times). I have all IP cameras blocked to the internet (Ubiquiti UDM router & Ubiquiti managed 48port POE switch) using WAN OUT firewall rules. Would also like to block MAC addresses but haven't figured out how to make a 'group' of MAC as you can with a group of 'IP'.
Having serious problem with firewall rules in regards to the Dahua VTO villa intercom doorbell & push notifications. But I'm learning as I go. Had to setup a Ubiquiti local RADIUS VPN server and found out how to have smartphone enable 'always on'.

RIght now, both my Synology NAS and Home Assistant server are located on my main network. They will eventually go on their own network.
Did setup AdGuard DNS and Chrony for HA. Neat little things for local DNS & NTP servers to help even more with a secure network.

which reminds me....back to learning Wireshark...

bfred · Sep 9, 2021

Thank you both for your suggestions. I'll start implementing the various suggestions, keeping track of it in a wiki (that's what I use for my IT stuff) and come back with probably more specific questions if I have any doubt.

Thank you again.
Fred

bfred · Sep 29, 2021

Hi!
Small update: so I have 3 VLAN for now and while it was mainly easy to set up I'm be hit by MAC address changes on a few devices, namely those "lovely" Reolink cameras, my Xiaomi light bulbs, my TP-Link "smart plug" HS110. I didn't find any specific option related to MAC randomization in their respective apps.
This is a problem as I am assigning IP addresses based on MAC address. I know I could set up their IP directly inside each device but I am trying to avoid that for easier management. Already just changing WiFi network was a pain...

And then I am trying to look at the Dahua interface and I don't find it great.. but again since my cameras "disappear" it makes the whole setup more challenging. So I'm trying to take it one step at a time. Any idea on those MAC address changes and trick you may have to fix it without setting up individual IPs inside the IoT?

Thank you.

Fred

Holbs · Sep 29, 2021

bfred said:
Hi!
Small update: so I have 3 VLAN for now and while it was mainly easy to set up I'm be hit by MAC address changes on a few devices, namely those "lovely" Reolink cameras, my Xiaomi light bulbs, my TP-Link "smart plug" HS110. I didn't find any specific option related to MAC randomization in their respective apps.
This is a problem as I am assigning IP addresses based on MAC address. I know I could set up their IP directly inside each device but I am trying to avoid that for easier management. Already just changing WiFi network was a pain...

And then I am trying to look at the Dahua interface and I don't find it great.. but again since my cameras "disappear" it makes the whole setup more challenging. So I'm trying to take it one step at a time. Any idea on those MAC address changes and trick you may have to fix it without setting up individual IPs inside the IoT?

Thank you.

Fred

to my limited MAC address knowledge... I know you can have a ethernet hardwire port MAC address and then you have a WiFi wireless MAC address that can be both in a network device if it can do both. I never heard of a device having multiple MAC addresses if the unit has WiFi. Maybe other's can jump in and reply on this one.
Wonder what Wireshark or a network scanner would have to say about this.

bfred · Sep 29, 2021

Yes.. each network interface has a (different) MAC address, so a dual band wifi device will have at least 2 MAC addresses. I have Unifi wifi only supporting 2.4Ghz having 3 mac addresses: 1 for WAN 1 for a specifci wifi standard, and another one for the other standard. But the MAC addresses never change (not yet let's say...).
My issue is that for example the same Wifi camera supporting only 2.4Ghz and no ethernet port had initially an address starting with 9a:de:d0:... and then 8a:de:.... so it is the same interface but just hard to predict MAC.
And it's not even the same brand of things doing this, it's happening on 3 different brands right now... and driving me half crazy. Besides I though the first 2 or 3 blocks of a MAC address where company specific. So I am asking, just in case someone knows....

Thank you.

Holbs · Sep 29, 2021

bfred said:
Yes.. each network interface has a (different) MAC address, so a dual band wifi device will have at least 2 MAC addresses. I have Unifi wifi only supporting 2.4Ghz having 3 mac addresses: 1 for WAN 1 for a specifci wifi standard, and another one for the other standard. But the MAC addresses never change (not yet let's say...).
My issue is that for example the same Wifi camera supporting only 2.4Ghz and no ethernet port had initially an address starting with 9a:de:d0:... and then 8a:de:.... so it is the same interface but just hard to predict MAC.
And it's not even the same brand of things doing this, it's happening on 3 different brands right now... and driving me half crazy. Besides I though the first 2 or 3 blocks of a MAC address where company specific. So I am asking, just in case someone knows....

Thank you.

see? I never knew there was a different MAC address between 2.4 & 5

I just know.. my Dahua cams are not WiFi, hardwired only. For right now, I am only IP blocking. Once my configuration of firewall is to my liking, I'll add in MAC address blocking as well.

bfred · Sep 29, 2021

a bit OT but I'm looking at getting Dahua cameras, PoE for mainly outside, like the gate (on the street) and the yard. Any recommendation? So many products and choices.... and eventually 1-2 for inside (yeah I know.. that's already more than the 8 channels of my NVR... )

eeeeesh · Sep 29, 2021

Personally, I would have purchased a Protectli 6 port to run pfSense and then setup actually physical subnets instead of your vlans...

Protectli Vault - 6 Port

Explore all 6 Port Vault Firewalls: Intel CPUs, 6 NIC ports, fanless & silent.

protectli.com

And yes, I always thought the first 6 of a mac designated the manufacturer. Sounds like something else is going on. Never heard of a 'dual band' device having two different mac addresses (unless there is an option to use 'randomized MAC addresses ' - do you have a specific example?)

bfred · Sep 30, 2021

Hey!
So I have a 4 port Protectli (I think I mentioned it earlier), so far I'm actually using those 3 physical ports for Lan, IOT w/ and without Internet.
For the MAC addresses thing I can post the Unifi AC LR (not mine) details:

AP model: Ubiquiti UniFi-AC-LR
WAN MAC address: 74:ac:b9:11:xx:xx
Radio 1 MAC address: 74:ac:b9:12:xx:xx
Radio 2 MAC address: 74:ac:b9:13:xx:xx
(*) xx:xx are actually the same values.

It's a dual band AP.

But I have the same with every device being dual or tripple band (as in dual band + ethernet). My laptop's MAC are:
Eth: 54:ee:75:xx:xx:xx
5Ghz :60:57:18:xx:xx:xx
(*) here xx:xx:xx are totally different and I would assume the 5Ghz one is probably randomized.

My TP-Link RE200, which is a dual band wifi extender has those 2 (which so far haven't changed...) , which I get from their web management interface:
Connection Status to Existing Network (2.4GHz)
Main Router/AP WiFi Network Name: xxxx
Main Router/AP MAC Address:
78-8A-20-11-XX-XX
Signal Strength: 68%
Connection Status: Connected
Connection Status to Existing Network (5GHz)
Main Router/AP WiFi Network Name: xxxx
Main Router/AP MAC Address:
7A-8A-20-12-XX-XX
Signal Strength: 42%
Connection Status: Connected

Thank you.

eeeeesh · Sep 30, 2021

Sorry, I missed that you already have the Protectli. Fortunately, I bought the 6 port so I have enough ports to run all 4 of my subnets physically

I googled your RE200 and then made a mental note to never purchase a device like that. It appears that it uses some sort of Proxy Mode that would drive me crazy with their 'Virtual MAC addresses' and I never heard of having a separate MAC address for each band... Learn something everyday

In Proxy Mode, Range Extender will replace each of its clients’ MAC address with a virtual MAC address generated automatically by Range Extender. Thus the router will take the virtual MAC address of the clients as their real MAC address, so that we need type the virtual MAC addresses of these clients in the MAC Filtering of the router instead of their real MAC addresses. By comparing the figures below, you can better understand the process.

How to set up Mac Filtering on router to control the devices connected to the Range Extender(Green UI) | TP-Link

How to set up Mac Filtering on router to control the devices connected to the Range Extender(Green UI)

www.tp-link.com

bfred · Oct 1, 2021

wow... ok. So that would explain my problems! Thank you so much for identifying this issue! Geee.... you're amazing.. I was getting white hair (good excuse....).

By the way, I didn't buy it, someone gave it to me. And indeed most of the devices changing MAC addresses are mainly connected through this extender.

Now not to be... a pain(?).. I have a rPi 3B+ running OpenCanary on my main LAN using an Ethernet cable and using a fake MAC in order to pretend to be a Synology NAS. Even this one changed yesterday. I use macchanger to do that and checking (now) on the Pi it says my MAC is 00:11:32:xx:xx:22 . Yesterday I could see a dynamic IP assigned to my rPi instead and the MAC address was 00:11:32:xx:xx:23. (see the DHCP leases screenshot).

So any idea what would make this happen: macchanger? PfSense DHCP service (I doubt it)? Some Evil Spirit stuck on my network... ?

At least I get the RE200 issues identified... thank you for that!

bfred · Oct 1, 2021

eeeeesh said:
In Proxy Mode, Range Extender will replace each of its clients’ MAC address with a virtual MAC address generated automatically by Range Extender.

I'm still baffled! And reading more support questions on TP-Link forum basically the RE200 only supports proxy mode! Luckily OpenWRT seems to runs on it and that's what I'm going to flash it with.
Sometimes you really wonder what those "tech people" have in mind when they design products!

Holbs · Oct 1, 2021

The Automation Guy said:
I would recommend using these VLANs.

Main network - anything that you trust to have full access to the network and internet. Can access internet and other VLANs.

Guest network. Has internet access, but no other VLAN access. Might even consider isolating devices on the guest network, but that breaks "sharing" things between mobile devices. If that is something your guests do regularly, then you don't want to isolate them.

Network Printers. No internet access, no other VLAN access. (Devices on main VLAN will be able to see the printers and use them normally). If you need to allow guests access to the printers, you can always allow that as well.

CCTV cameras, NVR. No internet access, no access to other VLANs

IOT stuff that needs internet access. Things like your smart TVs, streaming devices, etc. Obviously has internet access, but no other VLAN access.

IOT stuff that doesn't need internet access. Thinks like "smart" plugs, appliances, lights and switches, etc. No internet or other VLAN access.

Gaming consoles (XBox, Playstation, etc) . Has internet access, but no other VLAN access. This is because online gaming usually requires a less stringent set of rules than I want to normally run in order to connect to the online servers properly. By having their own VLAN, I can allow less stringent rules for the consoles, but protect the rest of the network.

Other groups of devices - (like a digital phone system, etc). I run an VOIP digital phone system at my house, so all the phones are on their own VLAN. No internet access for the individual phones (only the service interface needs internet), no other VLAN access.

That might seem like overkill, but it is actually about the minimum I would consider. If you start with this architecture from the start, it isn't bad. If you have to go back and add these VLANs after setting up another scheme, it can be more painful to change. The idea is to isolate groups of devices on the network as much as possible. It might seem silly to have a VLAN for just network printers, but I don't want those printers on my main VLAN, and I see no reason to have them on a IOT VLAN where other devices could have access to them. So by having them on their own VLAN, I know they are isolated as much as possible and I can always allow the guest network to access them if needed as well without compromising the rest of the network isolation.

If you have a managed switch (at least one that can do VLANs - it doesn't have to be a fully manageable switch) your pfSense box can set up more than 3 VLANs. I suspect you are saying only three VLANs because you box as four network plugs. I run a pfSense box with just two network plugs (one WAN and one LAN). The LAN plug goes directly to my network managed switch (Aruba S2500-48p) and I can set up as many VLANs in the switch as I need.

I should note that VLANs are different from wireless networks. There may be some overlap, (Guest network for example), but you don't need a wireless network set up for every VLAN. For example, on my Ubiquity APs, I have these wireless networks set up: Main, Guest, IOT Internet, IOT No Internet, Gaming Consoles (in case friends bring their consoles over). If I had wireless printers, I would also have Printers network, etc. This actually helps "automate" some of the setup. For example, if I get a new "smart plug" and I make it connect to the "IOT No Internet" wireless network, I know that device has to be part of the "IOT No Internet" VLAN with all the applicable rules already in place (ie no internet, no other VLAN access). I don't have to manually block individual devices from the internet, etc. I let the VLANs handle that for me. This is why I have a "IOT Internet" and a "IOT No Internet" VLAN and wireless network set up rather than having just one IOT VLAN with a mix of devices I want to have internet access and not have internet access.

I've always wondered.... should the Home Assistant server be located on the IoT Internet network? Right now, I have HA on my main network. I think, because I am still learning VLAN, subnet, and firewall headaches and just wanted the thing to work. I do have IoT devices on the IoT Internet network ( 2 robot vacuums, ambient weather station, 4 smart tv's, etc). Same applies for my Synology NAS being on my main network.

The Automation Guy · Oct 1, 2021

Holbs said:
I've always wondered.... should the Home Assistant server be located on the IoT Internet network? Right now, I have HA on my main network. I think, because I am still learning VLAN, subnet, and firewall headaches and just wanted the thing to work. I do have IoT devices on the IoT Internet network ( 2 robot vacuums, ambient weather station, 4 smart tv's, etc). Same applies for my Synology NAS being on my main network.

I can only speak for what I do..... I run a Windows based automation software called Charmed Quark Controller (CQC for short). That machine also has my DVR system (SageTV) and a virtual machine running my digital phone system (PBX in a Flash). I think shielding that machine from the other IOT devices is better for security, so I have it on my main VLAN. Plus that machine needs to access the internet for updates as well some of it's functionality (phone trunk, TV Guide data, etc) so it would be on the IOT VLAN with my smart TVs, Alexas, and streaming devices. That's not really where I want to put a mission critical Windows machine.

Search

Setup suggestions for LAN, NVR and maybe seperate NAS/Android TV devices?

bfred

n3wb

The Automation Guy

Known around here

Holbs

bfred

n3wb

bfred

n3wb

Holbs

bfred

n3wb

Holbs

bfred

n3wb

eeeeesh

BIT Beta Team

Protectli Vault - 6 Port

bfred

n3wb

eeeeesh

BIT Beta Team

How to set up Mac Filtering on router to control the devices connected to the Range Extender(Green UI) | TP-Link

bfred

n3wb

Attachments

bfred

n3wb

Holbs

The Automation Guy

Known around here